Cybersecurity considerations for your startup
Cybersecurity has increased in public awareness over the last few years and reached a high recently with the Equifax data breach which compromised over 100 million American’s personal information. While practicing good security as an individual is key, there is already a ton of comprehensive information out there on credit monitoring, identity theft, using 2FA for sensitive accounts, password best practices, and the list goes on!
However, if you are an entrepreneur or small business leader, there is decidedly less information available on cybersecurity practices for your SMB. With something as important as your company’s security, when should it become a priority?
Biggest (current) threats to consider
Reading about cyber vulnerabilities can be overwhelming. SQL injections, cross-site scripting, man-in-the-middle attacks, OH MY! If you just want to know where to focus your resources, here is a list of the most common attacks and their impacts on SMBs.
- Phishing/spear-phishing — Wire theft, customer data breach, IP compromise
- Ransomware — Data and productivity loss
- Internal/employees (credential reuse, bad actor, etc.) — All
- DoS/DDoS (this is decreasing and largely mitigated threat and likely handled by your hosting company) — Downtime, reputation cost
Guiding principles of cybersecurity
- People will always be your weakest link. You can harden your tech as much as you want, but it can be rendered useless if someone leaves a post-it with their password somewhere. Test and train all staff regularly with social engineering as part of your regular pen testing.
- Speed is your greatest ally. Don’t wait for a convenient time to push updates, don’t wait to notify customers of a breach of their data, don’t delay a forensic cyber analysis if you believe you have a persistent threat. Damage is inversely correlated with the speed of response.
- Prepare for the worst. Time is the only thing needed to defeat new security protocols. Everything that can be hacked will be hacked given enough time. Your disaster recovery/business continuity plan should have a cybersecurity section with planned responses to all major threats.
- Need-to-know basis. Limit all tiers of administrative access only to those who absolutely need it. Compartmentalize sensitive information wherever possible (w/o sacrificing business outcomes). You can have a transparent culture and a tightly kept cybersecurity program at the same time.
- Test yourself. Regularly. The cadence and depth will vary depending on your industry, but at a minimum, you should conduct one penetration test and social engineering campaign to test employees per year. In cybersecurity, an ounce of prevention is worth a pound of cure.
High-level protocols
Remember that no two organization’s networks and risks are the same. So, when developing a cybersecurity plan, you should be using a bottom-up approach based on your own needs and vulnerabilities. Here are some general initiatives you’ll want to consider.
- Engage a cybersecurity firm to conduct an initial audit, pen testing, etc.
- Develop a cyber/info security policy for staff and conduct regular trainings with updated threat and response scenarios
- Conduct a business process risk assessment and make the necessary adjustments to internal process+policies
- Setup a VPN for employees when working remotely (especially internationally)
- Enforce mobile device management and mandatory updates
- Put network monitoring and traffic logging into place
- Have a clear incident reporting protocol in place for all employees
- As a last line of defense, consider buying a cybersecurity insurance policy
Additional environmental considerations
Because every business is different, a great cybersecurity program can vary substantially from company to company. Below are some questions to get started on mapping what is right for your business.
- Do we store customer data? Financial? PII?
- How much sensitive data is stored locally vs. in the cloud?
- Size of staff, technical level of staff, etc.
- Security control vs. culture of transparency/efficiency
- Are there minimum legal requirements for the data/industry we work in?
Hope it is helpful. If you have more questions about cybersecurity for your startup, feel free to reach out here or on Twitter.
Disclaimer: These views are my own. Just me. Solo thoughts.
